web analytics

Yahoo Messenger virus on the loose!




I’ve been noticing that a lot of people on my YM list are sending me random messages with links to some sites. I’ve had this before and that time it was coming from my end so now I know people are just infected by a new worm somehow.

I also got this form one of my contacts:

PLS BE INFORMED IMMEDIATELY! A virus is on a rampage in Messengers. The virus name is WORM_SOHAND.I. It shows itself as an innocent IM with a link to a site and tells you it is about cool pictures. Whne the link is clicked, it takes control of your registry, changes your browsers homepage and disables you to change the homepage! after clicked it also sends itself to everyone in your messenger list. So if you recieve it, please remeber DO NOT CLICK THE LINK! just close the window or read the other offline messages. Warning: it may come from your closest friends to! PLEASE, PASS IT ON TO ALL


Anybody else experiencing this lately? I did a search and it’s not yet showing up anywhere but definitely it’s a virus/worm.

****Linky Goodness****

Free Norton Antivirus software download



Abe is the founder and Editor-in-Chief of YugaTech. You Can follow him on Twitter @abeolandres.

You may also like...

53 Responses

  1. Arbet says:

    Hi, check out Trend Micro’s description for the variant I http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOHANAD.I

    I had tried clicking on one of those links, and users of FireFox are somewhat safe from this. This virus shows a lot of messages and links.

  2. jong says:

    ilang beses ko na experience eto. But i haven’t tried clicking the links because it is unusual for my friends to give a link with a random message and stuff…

  3. DannyBoy says:

    I was warned early on that thru YM, virus exists. Good thing Im not using YM past days. So yup we got company.

  4. Miguel says:

    I’m now using GAIM for YM and XMPP (our internal company IM). I was using it for Windows Live (or MSN Messenger) but I believe I lost a message so I dropped it.

  5. jepoy says:

    firefox users are safe from that YM virus :)

  6. ade says:

    Unfortunately, even though there were sufficient warnings, people still get infected.

  7. ade says:

    @ Jep[oy: even though we Firefox users are surfing safer, let’s not be complacent. ;)

  8. Joseph says:

    I have that message whenever I open YM. But I never open the link because although the sender is on my list, we did not have a prior conversation/chat.

  9. GUrbi says:

    Me, I also received that link in my YM and it brought me to a site where I got the virus. I have posted some suggestions on how to recover from Yahoo Messenger Virus. Visit my blog for more details…

  10. eric says:

    i do get that offline messages from time to time. usually from contacts. but i never open these links since the offline messages appear to be very doubtful. mukhang hindi talaga galing sa contacts ang message.

  11. ralphot says:

    yeah, i’ve posted this a few weeks back. it’s really annoying. when i login the next day, i get close to a hundred offline messages of this nature.

    a few of my officemates got affected by this too. me kinalikot lang sila sa registry to turn this off.

  12. nightfox says:

    haha.. actually, i click anything, anywhere..

    Use Linux/Mac.

    (at least when there’s really a critical effect [from doing such things] on the system then that’ll surely challenge me and everyone in the Linux/Mac community to resolve it)

  13. Pradeep says:

    I was also affected by the problem. Norton real protection detected and deleted the malware files. But still I was not able to unlock the internet explorer homepage, registry editor and task manager. For that I just created a new user profile and deleted the old one. That solved the problem.

  14. nelson says:

    I have encountered this and I was able to heal my computer. I will put together the steps to heal. Just remind me or email me, so I can send the steps and the links to some hijack removal software that are needed to be downloaded.

  15. stuck says:

    Yeah me too facing the same problem…is there any solution to this cool pics virus problem? Its spreading leaps and bounds day by day!

  16. stuck says:

    Yeah me too facing the same problem…is there any solution to this cool pics virus problem? Its spreading leaps and bounds day by day! Please advise.

  17. nightfox says:

    @stuck – tried using another YM client? well, in case of viruses.. if you’re using Windows – that’s somewhat hard..

  18. nelson says:

    These may help you guys.

    Svchost.exe file from clean pc should be used to replace the infected file brought about by thecoolpics.net spyware. Also svchost32.exe that may exist in windows/system32 folder must be removed. See http://www.file.net/process/svchost32.exe.html for description of what it does.

    Also the ff may be helpful, in case certain changes were made by the said spyware:

    1. To Unlock Registry:

    Paste the line below to the command prompt (Start, all programs, accessories, command prompt) — >>
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

    2. To Enable TaskMgr: Paste the line below to the command prompt — >>

    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

    3. To Unhide Run command: Paste the line below to the command prompt — >>

    REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

    4. To Unhide Folder Options: Paste the line below to the command prompt — >>

    REG add KLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f

    I hope this will help you. email me at: [email protected] for other help.

  19. Joey says:

    Once you open the link cool pics..then you already infected which was happen to my computer…same case above Disable Registry , using ctr+alt+del (Task manager disable by Admistration), Address home page change to cool pics and one that make me headache that when your infected yahoo messenger was open and your excel program / word program those link also paste on your document twice automatically. You cannot find the RUN command since this was already corrupted and even in Task/Start Menu also disappeared; question ,is reformatting of the Window XP home editon as alternative solution for 100% removal of those Virus…but one thing when i open guest user first it was okey and i follow your instruction but still the porblem exist on Yahoo messenger …thanks in advance

  20. problematic says:

    In my case, after doing such, i used Avg to remove it. it worked somehow, then i did this reg thing.

    click, start then run then type

    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

    or just copy everything

    then click run again then type

    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

    The only problem with my case was that, i have an svchost.exe file in my windows system 32 but it was last modified, in 2004. so i was wondering if ever its the same things. If you guys could help me clear it up, if its a valid file, or a virus please email me. [email protected].

    ANother thing,my task manager already works, however, i could not end the svchost process. Whenever i end it, my computer shuts down. I don’t know if its core, but the svchost file seems to be working together with other programs. and i couldn’t delete it, because it runs in several programs. Please help me, i really don’t know what to do about that

  21. Ryan says:

    So, it’s a virus. I thought it was only some sort of spyware that plagues the messenger and whenever you click on the links, that’s the time that you get the virus.

    A secured browser is enough to at least prevent it.

  22. Robert says:

    Theres this another YM virus from vietnam, funni.exe. I have used many AVs but still couldnt detect the virus.

  23. oobi says:

    These malware calls a backup copy and reconstruct a partially healed pc. Not to mention that your default homepage may still pointing at the online malware site (while curing the pc, unplug your internet and make sure that it points to yahoo or google).

    You can compare the identified malware files from that which can be hiding as backup within other folders like the startup folder. Note the size and date of detected malware so you can delete backup copies. You have to kill/delete the running malware executible and other clone executible (usually under safe mode – to get around file locking mechanism). Files such as host.exe and host32.exe are said to be a backup according to one site I read. See also Smithfraudfix for possible solution.

    The registry keys you can check for possible reconstruction scripts are (using Regedit, It needs caution as you may touch sensitive data):
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    Windows 95/98/ME registry includes the following seven keys:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup

    or to be safe download IE Protector And Tracks Eraser or similar apps that has an option to disable automatically loading files.

  24. oobi says:

    Using Linux based messengers are safe, but if you are stucked to Windows you may try http://www.meebo.com for a web interface connection to YM. Yahoo also has a new web interface integrated with their mail service. YM’s interface has a launchcast cache of messages (from where the malware send the random messages), try to google how to clear it.

  25. gen orino says:

    download this security task manager!! it really worked for me.. you use it to detect and quarantine the dangerous files.. http://www.neuber.com/taskmanager/index.html?ref=file.net

  26. jervin domingo says:

    how do i remove this kind of virus… my friend tells me i send this kind of message:

    ình di?n xi?c “r?n tóc gáy” freewebtown.com/gaigoitanbinh/index.html

    but on my end i am not sending any..

    please email me @ [email protected]

    i would really appreciate if you can email me on how to delete this.. thanks

  27. michale guevarra says:

    please help me on how can i reamove this AVIFUNNY UST SCANDAL to my pc. someone send me offline meessage but i didnt accept it coz im not sure what it is. but it already enter my pc how many times i delete it. but it still there i cant open now my RUN and system32.please if anyone can help me on how to remove it please reply…

  28. michale guevarra says:

    please help me on how can i remove this AVI UST FUNNY SCANDAL. coz i’m afraid to open my yahoo messager now. coz i dont want any of my friends got this too. please email me herse my email add [email protected] help me please

  29. Rain says:

    that kind of virus was infected my pc (twice!!).. Solution: Restore my pc to the time when it is in good condition.. and after that, I scanned my registry using registry mechanic program. Just as simple as that.. if you have any comments about this, please email me @ [email protected]
    http://rainrace.blogspot.com

  30. oobi says:

    I found this pdf file that analyzed the malware:

    http://geocities.com/rahulmohandas/hacking_the_malware.pdf

    Regarding the AVIFunny file. This is also detected by AVG but is not healed by AVG. I was able to manually delete the malware files of a friend, but with difficulty. It has a self regenerating mechanism also as follows: registry autoloads (see above list and use edit find command in the regedit to be sure such registry entries are not stored anywhere else). It also put sporious lsas.exe and smss.exe files, in the windows directory (there are legitimate files of these names used by windows – under windows task manager, the legit files will shutdown windows if the process is stopped). Infected file in WINDOWS\system32\drivers\etc was also found. It created files in the windows/prefetch folder (some of these entries initially refused to be deleted (You may try to open it with notepad and if prompted that no such file exist, create one with the same name of your own just to be sure). malware files are also found in all other partition or separate hard disk. Search and delete carefully the malware files and cure registry settings while modem is unplugged and in safe mode. Run AVG again after (still unplugged to the internet, if still detected, repeat the process again).

  31. michale guevarra says:

    GOOD DAY TO ALL ABOUT AVI UST SCANDAL FILES, I ALREADY RESTORE MY PS TO THE DATE I KNOW IT WAS WORKING PROPERLY, BUT AFTER THE RESTORING I AGAING CHECK MY WINDOW & FREPETCH IT STILL THERE. STILL I CANT OPEN SYSTEM32 & RUN PROGRAM… PLEASE HELP ME I DONT KNOW WHAT TO DO WITH THIS FILE, I CANT USE MY PC PROPERLY… HELP ME PLEASE…
    [email protected]

  32. jake says:

    patulong nga….!!! ayaw kasing mawala ung scandal sa ym ko ito pala email [email protected] thanks…!!!

  33. michale guevarra says:

    hello po ulet just wanna share how i remove the AVI funny ust scandal on my pc. i just download the AVAST anti virus it realy working hard. so now i can used my pm in good condition again… i got the AVAST on this site http://www.avast.com

  34. Farah L. says:

    The other day I clicked on a file transfer that I thought was sent by my chatmate but I was wrong; the file is skyflake. What I did was download & save it to my desktop then run my anti virus on said file before I opened it. I just want to know if this is a virus coz last night I emailed some pics but I was told there’s one in those I sent that can’t be opened because something was attached to it that my chatmate’s anti virus won’t open. If this is a virus, did it already start to spread by attaching something to my attachments? Please, if anybody could tell me if this is the latest virus that plugs ym & suggest how to get rid of it, although I deleted the file already, would be most appreciated. TY.

  35. jason says:

    me i have also ym viruses tagalog version i cannot do want is the right , or how to remove that its that ” funny scandal” its my enemy virus of all?
    plz contact me at my ym at ” jasonblue2008″ plz help me how i can removre this

  36. What’s that YM virus tagalog version. My girlfriend actually got that virus also. Is there any way to get rid of it?

  37. Joven says:

    Help naman po I have the same AVI.Funny scandal virus. It is malfunctioning may Excel and printers.

  38. Joven says:

    here is my email add nga pala [email protected]

  39. Joven says:

    My computer is OK now. Download avast home edition and everything will be taken care of.

  40. charles says:

    help po! un virus na AVI UST SCANDAL! badtrip una sa pc ko lng tpos un open ko laptop ko nagkaroon nadin ng gnun virus!!! help po nmn pano irecover to! email me at [email protected] i really need to know how to recover this virus thanks!

  41. Nearly all AIM’s are vulnerable because millions of people use then and few care about security. Programmers also concentrated more on design features than on security.

  42. david says:

    pa help nmn…my virus YM q peo hndi xa tgalog prang indonesian e,..ng se2nd 2 ol xa ng link…
    n de2tect nmn xa ng UST scandal remover q, peo pg bukas mu ul8 aun nndun nnmn…

  43. pandu says:

    s even i’m facing the same problem

  44. Nararanasan din ang nararanasan nyo says:

    naranasan ko rin yan…. ngayon lang
    sabi nila dlt mo muna yahoo folder mo then dload mo ulit…

  45. Rei says:

    omg i have same issue too, mine is:

    i have problems with my YM coz i keeps sending languages* ang a link that i coudnt understand to my friendslist, and my friend sez that it was a virus then they recommend online scan. but when i visit “bitdefender.com, avast.com. the page cannot be displayed. can someone help me.

  46. curly says:

    i have a problem if i log in on my YM it makes may laptop froze i dont know what happen pls help me!!!!!!!!!!!

  47. jessnoe says:

    Good day to You..
    My computer is having a problem. It was started when i downloaded a file yesterday..
    Occassionaly when i try to open the mozilla firefox and the other icon on the windows.

    the result was this
    At night when i turn to open my computer this was the result

    =<Java Virtual machine launcher-Invalid or corrupt jarfile C:\Progaram files\ahead\lib\NMBg monitor.exe

    =<Java virtual machine launcher-Invalid or currupt C:\windows\systems32\ctfmon.exe

    =<Java virtual machine launcher-Invalid or currupt C:\yahoo.\Messenger\yahoo messenger.exe

    =<Java virtual machine launcher-Invalid or currupt C:\program files\USB Disk Security\USB Guard exe.

    =<Java virtual machine launcher-Invalid or currupt C:Program\ALWILS-I\Avast4\ash Disp.exe.

    =<Java virtual machine launcher-Invalid or currupt C:\program files\ Messenger\msmsgs.exe.

    As i understand about it,all the program and the system was corrupted.

    What does it mean?Thus it a virus?What should i do to get it back?Is there any solution aside for repormatting my computer?

    Please send me a reply……

    -When god make you-

  48. rin says:

    thanks,gen orino….ur info really work to remove the virus =)

  49. chad says:

    .hey a problem [email protected] i clicked and downloaded the link..stupid me i know..now my laptop doesnt start..its stuck on windows boot manager..what shall i do?..im gettin paranoid..please do [email protected]..

  50. Aya says:

    How can I eliminate the virus, some of my friends notified me that I keep on giving them weird messages which I not aware of. Is it my YM app on CP or the account itself? I have tried deleting today my FB and YM account on my CP since both were linked.

Leave a Reply

Your email address will not be published. Required fields are marked *

Open

Close